Sadly, folks just don't always get it, or if / when they finally do, they don't put enough time and $$ into remediation and problem resolution. Even then, attackers will continue to put a lot of effort into going after Sony, time and time again, because now, they have a huge target painted on them, for the world to see.

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

Elite or not, SOMEBODY is still overlooking the holes, and they continue to do so. Like I'd said, whether they like it or not, the target is there...

The thing about 'elite teams' is that sometimes they get so confident that they overlook little / simpler things. I can't count on the fingers and toes, of my whole family, how many 'elite' network folks, for instance (the 'I'm a Cisco guy, and I know my setup is sound' types,) whom I've pointed out misconfigurations to, as well as the IT security teams, that often just don't understand that they DON'T know all there is to know, with regard to their network.

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

Fact / truth is, if they're THAT elite, they should be comfortable asking for help, because they should know that they don't know it all. Sony needs to spend some serious time, energy and money on a total, top-to-bottom review of every system, every security measure, their security training... their entire security posture. (You get the point.)

But when it's become a recurring event, not only is it embarassing, but it's a risk to your entire business, as well as the businesses of those that do business with you.

Sony'd better get on it.

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

No. I think you misunderstood my point. I was responding to your 'elite' remark. Fact is, I doubt it was the same thing, twice (although anything is possible.)

The point I'm making is this... IF you've been hacked and been put in such a bad situation, once, you put effort into fixing things, ASAP. IF you've been hacked twice, you'd REALLY better get on it, and find it (whether the same or different issues) because, unless your systems are changing THAT dynamically, which I doubt, then somebody missed something that probably should've been spotted in the 'elite' team's review, after the first incident came to light.

Granted, nobody will EVER be impenetrable, but it's becoming inexcusable to let that many records get leaked, that often, if you want to 'save face,' and NOT become every hacker's dream target.

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

Here's an example from my past, where there WAS the same hole exploited. I won't name the company, but let's just say I found a MAJOR security hole for them, and reported it straight to their top folks (it was that major, that it needed addressed, ASAP.)

The response I got was that their 'elite' team had been aware of said issue, for over a year, and 'decided' it was a calculated risk. Didn't matter that it was massively hackable, and I could easily take everything from their network, top to bottom... The 'elite' folks had already decided, in their minds, that it was a necessary risk. So, in this case, they WERE aware of a hole, yet didn't fix it.

That doesn't mean Sony was aware of the first or second (or any still unremedied) holes. But as you pointed out, they are huge, and therefore, once hole one was publicly disclosed, their efforts to find and remediate any others should've gone into high gear, because common sense dictates that, now, they have that target hanging out there.

(edit - please excuse multiple posts tonight, in succession... Working from my phone, remote, and if typing gets too long, it times out during reply, and I lose it all. So better to 'chunk it up' into a couple posts, when necessary)

Last edited by hayabusa on Sat Oct 15, 2011 9:07 pm, edited 1 time in total.

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

As for the 'calculated risk,' I think you'd be amazed at how often I've run into that. You'd think they'd realize the position and risk they put themselves into, but sometimes, they'll amaze you. I'm sure others here have similar war stories. Just seems to be the norm, in the industry, and obviously, some folks need to pay more attention to regulations, as well as just apply some common sense.

Anyway, my two cents for the evening!

~ hayabusa ~

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'

You're only as strong as your weakest link. I can't believe how weak of an attack though. If I remember correctly, it was just a simple SQL injection for the 2nd hack of Sony. As mentioned, Sony probably has a whole team of highly trained security pro's and they have an unencrypted database vulnerable to simple SQL injection?

I wonder if they really care about the holes. There isn't an alternative to their network for the Play Station, and I've ran in to users that don't really care, they just want to play their game on line. It wouldn't surprise me if they put more into PR spin for being hack, than they do the security to prevent being hacked.

Sometimes the people in charge don't even understand the risks, and still claim it's acceptable. Mostly because they think it won't happen. I have a great example from my experience. Mission critical equipment and multiple week business is down failures. The ones they had been warned about and deemed "acceptable risk", but still blamed me for when they happened.

I dont know how users still give the playstation network personal information. I recently just bought ps3 but there is no way in hell my info is going in there. I rather max out my credit cards instead of someone else, thank you very much lol